I'm currently building a REST API in the context of a school project, but I'm quite new in building API with token authentication: I'm looking for good practices.
I was following the rules detailed in this article. It's a french blog article, but the interesting part is the last rule concerning token authentication.
If someone wants to authenticate, he first has to send a sig-in request (for example, POST /sessions, with email and password as post data). If the authentication has succeeded, the server respond by sending back a token (let's say, "abcd...").
Then, if the user wants to access the API, he has to send the token back with the request, but encrypted. For example, if the user wants to list all the users, he would query /users path with an HTTP GET request. He would also send the following token with its request: md5("abcd..." GET /users), and not directly the original token returned by the API ("abcd...").
Is it a good practice? Is it really necessary or just sending the original token in each request is enough?
What are your advice for making a token authentication?
In my researches, I've also read about JWT (JSON Web Token). What is it? Is it supposed to replace the original token returned by the API or to encapsulate the token sent by the client to the API for each request? Or something else?
Aucun commentaire:
Enregistrer un commentaire